PT-2025-33094 · Unknown · Dolibarr Erp/Crm
Published
2025-08-13
·
Updated
2025-08-15
·
CVE-2012-10059
CVSS v4.0
9.4
Critical
| Vector | AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions:
Dolibarr ERP/CRM versions prior to 3.1.1
Dolibarr ERP/CRM versions prior to 3.2.0
Description:
Dolibarr ERP/CRM contains a post-authenticated operating system command injection issue in its database backup feature. The
export.php script does not sanitize the sql compat parameter, allowing authenticated users to inject arbitrary system commands, leading to remote code execution on the server.Recommendations:
Update Dolibarr ERP/CRM to a version prior to 3.1.1.
Update Dolibarr ERP/CRM to a version prior to 3.2.0.
Fix
RCE
OS Command Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Dolibarr Erp/Crm